Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:111093
Return-Path: <tysonandre775@hotmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14567 invoked from network); 21 Jul 2020 14:42:37 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 21 Jul 2020 14:42:37 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 07CEE180088
	for <internals@lists.php.net>; Tue, 21 Jul 2020 06:36:49 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <tysonandre775@hotmail.com>
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11olkn2073.outbound.protection.outlook.com [40.92.20.73])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 21 Jul 2020 06:36:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dknJY2GOFrM1EhaPca5YChUdb8khpdsX7FzzFjT0JSXystAojJi8/LlcxjdMteIWioX0scRa4oaBxpHTC7YGSoQWhJiquEi0ObIkGPNe29fK6qvtTAVD/ecse6mdlG/RsoOIElUr8BdFxL1kqGdk+0wF8eRPIyiYtz69G8R6UGPMJc9iuYIdNMJFEdxvrYX4UD1gpanajOwmA67Y/4kEzHn1H6FeNNRdxfVf4/hSJ66440iv7UxtfzftPozcyyPQAcRtL9az0TwQ5O+ifkAjizhdKda7OQvhmmMngKomf7sfSwE1lWXHwCdGN3WA9U3088kmdE2v8aUlNIcbs4Yzng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ybP9SONd5ukeUWazXwfAIjaIL4VaMJdA1zLd5kp7oW8=;
 b=hm1b/QbvJyMSx5U4J0v/V/Ga+j/NnrmFxjXuuec3fTr/UH5QOF2VdthS0+jE8etljuN4vtMg1+YBBlkDVYivP9Y9biLcqbUw92ubHJHzRQkk7ojX9OyIaxhiiHOBD6xKv0iIbjgeqx8gmbFrcQnblClufSj+JvurzZvfBFbPsGn5VhYuqBxCo6xN5opKNToOScQMXpZ3rBwttsTWYsdiGC9f1twkzVWhSVqJdA3Q0JYIKcwH7VcDAAU0VU/9ayM7Uv1NVD8AGSh3CTe8ulAHvvveCgEwJ99aEJwACSBvceZu2bQyiutYZTm1kkpX5XZd75ippiZjetfTuyFoBUFgtw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ybP9SONd5ukeUWazXwfAIjaIL4VaMJdA1zLd5kp7oW8=;
 b=QcyGKFj5U0Ym8rZDmZVnszkcng5AVgcP5WfGoa8tjCDmzTkruJ+IEEHLDYw3BhN0b09fSOTA/XQzzZ0/iUwoMwJKOhj9QXnHF+VB4mmXfnhSl/UiNgZX1HXeXhf1ZGYDh2YGGUehtYrYPQ8lniWPwDPvT6j8iCADJ5XZkcSm11f9nVWpmEjtyYKeWMucDkcAuGMCEvQNKk8KXp+cHwc5hoXzdEr7yLWU7R29CduZTiV1c1J5wiJ5bdUt3i2E/rplpE+HGxCAcfSfbEaM3OI+fWIoRwqOPbB1mE/3PehNRxj7T/62svxfQ0aG8x+io9SlgWrzH2aTskyoJ/Ai6vUxww==
Received: from CO1NAM11FT052.eop-nam11.prod.protection.outlook.com
 (2a01:111:e400:3861::44) by
 CO1NAM11HT232.eop-nam11.prod.protection.outlook.com (2a01:111:e400:3861::389)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.18; Tue, 21 Jul
 2020 13:36:46 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 (2a01:111:e400:3861::53) by CO1NAM11FT052.mail.protection.outlook.com
 (2a01:111:e400:3861::225) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.18 via Frontend
 Transport; Tue, 21 Jul 2020 13:36:46 +0000
Received: from DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::f0c8:f413:c7c1:e934]) by DM6PR07MB6618.namprd07.prod.outlook.com
 ([fe80::f0c8:f413:c7c1:e934%4]) with mapi id 15.20.3195.025; Tue, 21 Jul 2020
 13:36:46 +0000
To: PHP Internals List <internals@lists.php.net>
Thread-Topic: [VOTE] Don't automatically unserialize Phar metadata outside
 getMetadata()
Thread-Index: AQHWX2NU3679vUvWnEezAEU+ozOr2A==
Date: Tue, 21 Jul 2020 13:36:46 +0000
Message-ID:
 <DM6PR07MB66182B9F1879B64DA95FCFA6F9780@DM6PR07MB6618.namprd07.prod.outlook.com>
Accept-Language: en-CA, en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker:
 OriginalChecksum:57234CD38D40936D251BCF8188F156C0741A2BFDF2EFA121A83685FE58773FE3;UpperCasedChecksum:4DC701C99107C196C1860DD17BFA48FE67BBB56932F68F875C974CC29780540C;SizeAsReceived:6873;Count:41
x-tmn: [vLYT71Re4lg/t4UyB4m9YfePy7QAhzfy4S3pEho5lBa+jyw4fC+uUL5mIjjV4asN]
x-ms-publictraffictype: Email
x-incomingheadercount: 41
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 8f6e188d-5c06-482b-3886-08d82d7b1d4e
x-ms-traffictypediagnostic: CO1NAM11HT232:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
 K6SwtywCgTPHJl9jyiioyXEnnW4R7iGgvEwmxakXUovVcOo+ztVHOaE7SLKOTNlUTzHFZMRk7NQIoeGd9j2TJKwtEL633hXS6y0dHzQRFqzr2ZTyA/jAanrLgV5UQU/CI4OPCUk36qdKqn0cefqAWOLSxi4VF5Vg1l1/to5gJCiqr6Zt7NfoXO/kZ8AdPjmXJ2pEdI0V4BPfoxqJHADv+E7C6lOJDFbDlEQ/XHRYkPIiR0l5rBqRxA0cUSicbbaa
x-forefront-antispam-report:
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR07MB6618.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
x-ms-exchange-antispam-messagedata:
 oQKynldPNBLo90Hldtso5Ct/gAIct2i/yoB+k5iQR+XCJV3ZQu+bZ6huGnfr8t6MYLvzfo+z+k7xjYVRRKbFiK22pFZYc+Eptd/BW4mZTLlVVN52N5PhUd0ZhQikkDPTqNTzHoJ8UGf+CVfbZokeXL4H59iRorU2+wumacIlTPvq9O/NqPdrDqDShBDPSJUY9nsLc8ZcqDwKPIoVOtDvCQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT052.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f6e188d-5c06-482b-3886-08d82d7b1d4e
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2020 13:36:46.8298
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM11HT232
Subject: [VOTE] Don't automatically unserialize Phar metadata outside
 getMetadata()
From: tysonandre775@hotmail.com (tyson andre)

Hi internals,=0A=
=0A=
I've started the vote on https://wiki.php.net/rfc/phar_stop_autoloading_met=
adata=0A=
as announced earlier in https://externals.io/message/110871=0A=
([RFC] Don't automatically unserialize Phar metadata outside getMetadata())=
=0A=
=0A=
This adds the mitigations described in https://externals.io/message/105271#=
105291 ,=0A=
which seemed to be the most straightforward approach to avoiding unexpected=
 side effects of unserialization.=0A=
=0A=
- For a trusted phar, I wouldn't expect to need to unserialize metadata to =
check for the file not being corrupt=0A=
   (e.g. there's a checksum, and people would have tested the phar manually=
).=0A=
- For an untrusted phar, I'd want php to avoid calling unserialize() when r=
eading it through stream wrappers.=0A=
=0A=
https://bugs.php.net/bug.php?id=3D76774 goes into more detail about the sec=
urity issues this aims to fix.=0A=
=0A=
Thanks,=0A=
- Tyson=